Hash Functions - Cryptography - Lecture Slides, Slides of Cryptography and System Security

Download Hash Functions - Cryptography - Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity!

MAC’s and

Hash Functions

2

Message Authentication

Codes

AUTHENTICATION PROBLEM: Alice ( A ) sends Bob ( B ) a message through insecure channel modifiable by Mallory ( M ) GOAL: A encodes message in a way that enables B to detect any modification A^ B

M I^

U

I! U

4

Desired Properties

Hash function h should satisfy:

• Output < Input

• Collision resistant:

Finding different inputs with same output is computationally intractable

• One^ Way:

Easy to compute, hard to find pre-images

• Over insecure channel:^ secret keys

5

Hash Function Family

A HASH FAMILY is a 4-tuple

(X , Y , K , H ) satisfying

1. X is a (possibly infinite) set of

MESSAGES

2. Y is a finite set of possible TAGS

(or digests)

3. K is a finite set of possible KEYS

4. H is a finite set of hash func-

tions indexed by K

so for each K ∈ K there is a

function hK : X → Y

7

Primitive Elements

DEF: An element g in a group G is said to be primitive (or a generator ) if every element in G can be expressed in the form for some exponent index i. If G contains a primitive element, G is said to by cyclic.

NOTE: Equivalently, g is primitive if the first positive index for which is i = n = | G |.

THM: If F is a finite field, then is cyclic.

COR: If p is prime, is cyclic. Also, suppose g is primitive in. Then is primitive iff i is relatively prime to.

gi

gi^ = 1

F ∗

Z^ ∗ p

p − 1

Z^ ∗ p gi

8

Index Calculus

Can figure out everything about how numbers multiply in by seeing how their exponents (indices) add in. Generalization:

THM: If p is a prime number, then there is an isomorphism:.

NOTE: Isomormophism only easy to compute in (index)→(number) direction. Other direction (number)→(index) is DLog problem.

Z^ ∗ p Z^ + !( p )

Z^ ∗ p ≈ Z^ + !( p )

10

Computational Security

of Logarithmic Hash

THM: Existance of a BPP algorithm for collision finding in discrete log hash family, implies a BPP algorithm for discrete log prob. Note: Computational complexity definitions require considering infinite family of log hashes where allow arbitrarily large domains. LEMMA: Collision resistance implies one- wayness when domain >> codomain. COR: Discrete log hash “is” one way.

11

Collisions DLog

INPUT: p - prime, x,y with x primitive

OUTPUT:

EXTERNAL: FindCollision - assumed procedure for finding collisions in

1. if not prime, or y not primitive “FAIL”

3. ( a, b ) = FindCollision( K )

4. ... continued next page ...

∈ Z^ ∗ p

Dlog x ( y ) mod p

hK

p − 1 2 q = p − 1 2 ,! = x , " = y , K = ( p , q , !, ")

13

Iterated Hashes

• A procedure for repeatedly applying a

particular hash function, shrinking arbitrarily long messages to fixed length tags. EXAMPLE (Simple Merkle-Damgård):

• Assume^ h^ takes 260 bits to 132 bits and

that is never an output. Discrete log hash (viewed on bitstring) satisfies these.

• Define buffer function^ b -^ a 1-1 function

from bitstrings of length < 132 to bitstrings of length exactly 132.

14

Simple Merkle-

Damgård

INPUT: bitstring OUTPUT: bitstring EXTERNAL: compression function h //Break up into 128-bit blocks: for // buffer

for each block // concatenate strings // view z as a number return n

x = x 1 x 2... xk

y = y 1 y 2... y 132

zi = x 128 i + 1... x 128 i + 128

zi

n = h ( z )

zi + 1 = b ( x 128 i + 1... xk )

n = 0132

z = n ‖ z i

i ∈ [ 1 ,

⌊ (^) k 128

⌋ ]